The .NET framework version 3.5 SP1 and earlier versions did not provide support for applications to use Transport Layer Security (TLS) System Default Versions as a cryptographic protocol. This update enables the use of TLS v1.2 in the .NET Framework 3.5 SP1.

NoteThis content has been made available on Windows Update. To obtain the content, scan Windows Update for the latest .NET Framework updates. If your system is fully up to date via Windows Update, you do not need to take further action.

Resolution

Download information

The following files are available for download from the Microsoft Download Center:

Note If the application has set the ServicePointManager.SecureProtocol in code or through config files to a specific value, or uses the SslStream.AuthenticateAs* APIs to specify a specific SslProtocols enum, the registry setting behavior does not occur.

In addition, we have added the SslProtocolsExtensions enumeration that you can use as an option for setting TLS v1.2, TLS v1.1, as well as operating system defaults for the ServicePointManager.SecurityProtocol property when targeting .NET framework version 2.0 SP2. (See the Developer Guidance section for the information on how to use the extensions.)

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Applications that are using the SslStream AuthenticateAsClient(String, X509CertificateCollection, SslProtocols, Boolean) overload can set the SslProtocols value as SslProtocolsExtensions.Tls12.

If the registry mentioned in the first paragraph is set and in the application the SslProtocols value is set as SslProtocols.None, then the system default behavior is chosen that will depend on the Windows Operating System version.

Also when you are changing the application code to enable support for TLS v1.2 with .NET Framework 3.5 SP1 you should ensure on computers where this patch is not deployed you handle the following exceptions thrown:

If the hotfix is not installed, ServicePointManager-based APIs (HTTP, FTP, SMTP) will throw "System.NotSupportedException: The requested security protocol is not supported." when the application calls ServicePointManager.SecurityProtocol to set the new value.

If the hotfix is not installed, SslStream-based APIs will throw when calling either of the AuthenticateAs* APIs:

System.ArgumentException: The specified value is not valid in the 'SslProtocolType' enumeration.Parameter name: sslProtocolType

Note For SslStream only, a combination of Tls12, Tls11 with any of the existing Tls, Ssl3, Ssl2 (for example: Tls12 | Tls11 | Tls) will silently downgrade to the existing protocols (for example: Tls) on a system without the patch. It will connect with Tls without throwing the exception.

More Information

Note TLS v1.1 and v1.2 are not available in Windows Vista or Windows Server 2008.

If you have to disable the operating system defaults set by the registry key that is mentioned earlier for specific applications it can be done by adding the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\v2.0.50727\System.Net.ServicePointManager.SystemDefaultTlsVersions<<Full path of the .exe for the file>> DWORD 0C:\MyApp\MyApp.exe DWORD 0